Fake Apple traffic

What sets Clickr-ad apart from previous examples is its sophisticated attempt to pass off much of the traffic the apps generate as coming from a range of Apple models such as the iPhone 5, 6 and 8.

It does this by forging the User-Agent device and app identity fields in the HTTP request. However, it is careful not to overdo the technique by allowing a portion of the traffic to use identities from a wide selection of Android models too.

The Apple fakery is about making money – advertisers pay more for traffic that appears to come from Apple devices than from the larger volume of more socially diverse Android ones.

The difference is probably only small fractions of a penny but for a business built on click volume, those fractions add up over time.

The ad fraud boom

Ad fraud malware must constantly update itself to remain useful to its makers.

To maximise revenue, Clickr-ad’s command and control (C2) changes the ad profile every 80 seconds and downloads new SDK modules every 10 minutes.

What to do?

The effect of this kind of app is to drain the device’s battery, generate data traffic users might be charged for, and generally bog down the device by constantly clicking on ads.

Because there is nothing to stop the malware’s creators from installing other malware on devices, SophosLabs’ decided to classify it as malicious rather than merely unwanted.

The apps were removed from the Play store in the week of 25 November but because their C2 infrastructure remains in place it’s likely they will continue clicking away until they are removed by device owners.

Simply force-closing the app won’t do the trick because it can restart itself after three minutes – a full uninstall is needed.

An extra precaution would be to conduct a full factory reset after ensuring all data has been synchronised to Google’s cloud.

To reduce the possibility of a return, we recommend running mobile anti-malware – such as the free Sophos Mobile Security for Android, for example.

Conclusions

Number one, although it’s mostly safer to download apps from the Play store than anywhere else, it doesn’t guarantee that what you just installed isn’t malicious.

Number two, mobile click fraud isn’t going to go away, indeed it will likely continue to grow as a problem. It’s simply too lucrative and Google clearly isn’t on top of the problem despite numerous initiatives to tighten app checking. What’s more, the beauty of Clickr-ad is that it’s a whole platform for ad fraud which could be deployed inside other apparently innocent apps.

Finally, while SophosLabs researchers haven’t detected this malware in Apple’s App Store, it should be noted that iOS apps from the same developers were found on the iTunes store minus the click fraud functions.

It’s really a shame (and maybe a crime) that google doesn’t notify people when an app they downloaded is identified as malicious. Heck, they don’t even have a publicly available list to see if you got infected from the playstore……